GDPR FAQ – all your questions answered (2025)

Often requested questions in relation to the GDPR

The Basic Knowledge Safety Regulation (GDPR), which got here into impact on 25 Might 2018, is a complete algorithm designed to guard the privateness and safety of private information throughout the European Union.

The GDPR goals to standardize information safety legal guidelines throughout all EU member states and applies to any group that processes the private information of EU residents, no matter the place the group is predicated.

Regardless of the GDPR being in impact for a number of years, many companies are nonetheless battling compliance.

In 2018, Gartner predicted that greater than 50% of firms affected by the GDPR wouldn’t be in full compliance by the top of that yr. More moderen research present that compliance stays a problem, with a big variety of companies nonetheless dealing with enforcement actions as a result of non-compliance.

The GDPR permits regulators to impose fines of as much as €20 million or 4% of annual world turnover, whichever is increased.

The very best fines to this point embrace:

• Amazon (€746 million, 2021) – Violation of consent necessities for focused promoting.
• Meta (Fb/Instagram/WhatsApp) (€405 million, 2022) – Improper dealing with of youngsters’s information.
• Google (€50 million, 2019) – Lack of transparency and insufficient consent mechanisms.
• TikTok (€345 million, 2023) – Violations relating to kids’s information privateness.

With enforcement actions growing, organizations must take GDPR compliance seriously to keep away from hefty fines and reputational harm.

Due to this fact, we’ve got compiled a listing of essentially the most ceaselessly requested questions regarding the GDPR and supplied a collection of solutions.

1. “The GDPR covers e mail and e mail communications – does it additionally embrace phone communication? What if I purchase a listing of telephone numbers and name every particular person?”

Earlier than contacting people from a bought record, ask your self:

• Was the info collected with correct consent?
• Did people explicitly conform to be contacted by third events?

If the reply to both query is “no,” then utilizing such a listing would possible violate the GDPR. Consent have to be particular, knowledgeable, and freely given for every processing exercise.

Moreover, for those who document calls, this falls below the GDPR’s definition of knowledge processing. Beneath the GDPR, companies should justify name recording below one of many following circumstances:

• The people gave specific consent to the recording.
• Recording is important to satisfy a contract.
• Recording is required to adjust to a authorized obligation.
• Recording is important to guard the important pursuits of a participant.
• Recording is within the public curiosity or a part of an official responsibility.
• Recording is within the professional pursuits of the corporate, except overridden by the person’s rights.
• Recording calls with out justification or with out correctly informing the people concerned may end up in regulatory penalties.

2. “Are these guidelines or tips? What’s the distinction?”

To be clear, the GDPR is regulation – and never advisory.

Companies that course of private information of European Union (EU) residents, no matter whether or not they function in or exterior the EU, should adjust to the GDPR. Failure to stick to the GDPR may end up in fines of as much as 20 million Euros or 4% of the group’s worldwide turnover (whichever is larger).

Much less severe violations comparable to improper information or failing to inform the related authority of a breach may end up in fines of two% of the group’s annual worldwide turnover, or 10 million Euros.

3. “Who will truly situation the fines? Who would you contact to complain about an organization? Who will contact you if there was a breach (i.e. is it a European physique)?”

Every EU Member State has a Supervisory Authority (SA) accountable for implementing GDPR, issuing fines, and dealing with complaints. Within the UK, the enforcement physique is the Data Commissioner’s Workplace (ICO).

In the event you want to report a GDPR violation, you must file a criticism together with your nation’s related Knowledge Safety Authority (DPA).

As of 2025, GDPR enforcement has resulted in over 1,200 fines throughout the EU, totaling greater than €4 billion in penalties. Essentially the most closely fined sectors embrace expertise, retail, and monetary providers. Notably, Eire’s Knowledge Safety Fee (DPC) and France’s CNIL have been significantly lively in enforcement actions towards world tech firms.

4. “How does Brexit have an effect on information safety and AI compliance?”

After Brexit, the UK adopted the UK GDPR, which is basically similar to the EU GDPR however is ruled below the Knowledge Safety Act 2018 (DPA 2018).

The UK GDPR and the DPA 2018 collectively outline the UK’s information safety framework. Organizations processing information from each UK and EU residents should adjust to each UK GDPR and EU GDPR, guaranteeing they meet the necessities of each regulatory environments.

If your organization targets EU clients, you might have to appoint an EU consultant for GDPR compliance functions. Likewise, if an EU firm processes UK private information, it might have to appoint a UK consultant.

A key space of concern below each frameworks is automated decision-making and AI. Beneath GDPR, people have the fitting to not be topic to solely automated selections that produce authorized or vital results. This means companies using AI-driven processes, comparable to automated credit score scoring, recruitment screening, or profiling, should implement safeguards, together with human intervention, transparency, and justification for such selections.

5. “The regulation talks about ‘information controllers’ and ‘processors’, what are they?”

Of their easiest varieties, information controllers are those who decide how information is used and processed. Knowledge processors course of information on behalf of a controller.

Listed below are some examples of knowledge controllers: authorities our bodies, voluntary organisations, hospitals, and even your Web Service Supplier (ISP).

Listed below are some examples of knowledge processors: accountants, market analysis firms, surveyors – anybody who processes information on behalf of another person (a person or firm).

For instance, we – as a advertising consultancy – could be a knowledge controller and information processor. We accumulate private info from web site guests and web site guests who fill in varieties and management that information, as we resolve on what to maintain and to make use of in our digital advertising efforts.

We course of that information as nicely. Holding it, organising it, analysing it, adapting it, retrieving it, erasing, combining and rather more. It could possibly be so simple as acquiring a brand new lead through your web site and including that lead’s info into your CRM or enhancing contact information.

6. “Who’s accountable for the info inside advertising companies?”

Merely put, everybody!

Having a transparent view of your enterprise’ information throughout the division is vital to making sure you meet the necessities of the GDPR. Good information governance must be pushed from the highest down (I’m taking a look at you, C-Suite) and on that foundation, begins with the seniors within the enterprise driving it ahead.

That stated, the GDPR does require that sure companies, organisations and establishments appoint a DPO (Knowledge Safety Officer) to supervise the enterprise’ information administration.

Beneath the GDPR you could appoint a knowledge safety officer for those who:

• Are a public authority (apart from courts performing of their judicial capability);
• Perform large-scale systematic monitoring of people (for instance, on-line behaviour monitoring); or
• Perform large-scale processing of particular classes of knowledge or information regarding prison convictions and workplaces

You might appoint a single information safety officer to behave on behalf of a bunch of firms or public authorities. Any organisation can appoint a DPO, no matter whether or not the GDPR requires you to take action.

7. “What occurs if I lose a laptop computer/firm cell phone/USB that has delicate information on it – who do I report it to?”

Firstly, you solely have to notify the related supervisory authority of a breach the place it’s more likely to threat the rights and freedoms of people, comparable to their human rights and freedom of expression, for instance.

Supervisory authorities differ from nation to nation, however within the UK, it’s the ICO – the Data Commissioner’s Workplace – based mostly in Wilmslow, Cheshire, however with workplaces in Scotland, Wales and Northern Eire.

For instance, if the breach may have a detrimental impact on people, leading to (and the ICO states) discrimination, harm to fame, monetary loss, lack of confidentiality or another vital financial or social drawback.

For instance, if a breach of buyer particulars leaves clients open to identification theft, that have to be reported. People have to be notified instantly if it’s a high-risk breach, in addition to the related supervisory authority. For these within the UK, this implies telling the person and informing the ICO.

8. “Will information suppliers now exit of enterprise? Absolutely they’ll promote GDPR-compliant information lists?”

Maybe, however extra possible they must work more durable and subsequently prices will enhance. Knowledge suppliers might want to reassess the best way wherein they construct their lists.

They might want to receive consent from every particular person on the record to allow them to compile that info – and they’re going to additionally have to receive separate consent from them to allow them to promote that record to 3rd events. It’s loads of work, however it may be carried out.

9. “Is double opt-in a steering or a regulation? Does GDPR embrace ‘double opt-in’? I.e. A web site customer stated “OK” passively, however do I would like to substantiate their consent? Absolutely single consent is sufficient?”

No, double opt-in shouldn’t be a authorized requirement below GDPR. Nevertheless, it’s thought-about best practice because it provides stronger evidence of consent.

Organizations should be certain that consent is:

• Freely given, particular, knowledgeable, and unambiguous.
• An lively alternative (e.g., no pre-ticked bins).
• Simply withdrawable.

Nevertheless, completely different jurisdictions inside and outdoors the EU have various interpretations of opt-in necessities:

• Germany: Has the strictest interpretation within the EU. Double opt-in is successfully required for e mail advertising as a result of burden of proof necessities in German regulation. Courts have constantly dominated that single opt-in is inadequate to show consent.
• Austria: Much like Germany, Austrian courts strongly favor double opt-in. Whereas not strictly required by regulation, it’s thought-about the most secure means to make sure compliance.
• China (PIPL – Private Data Safety Legislation): Carried out in 2021, China’s PIPL has stringent consent necessities. Whereas double opt-in shouldn’t be explicitly required, firms usually implement it as a greatest follow as a result of strict enforcement.
• Brazil (LGPD – Lei Geral de Proteção de Dados): Much like GDPR, LGPD requires clear, affirmative consent however doesn’t mandate double opt-in. Nevertheless, as a result of burden of proof on companies, many firms undertake double opt-in to make sure compliance.

Given these regional variations, organizations working throughout a number of jurisdictions ought to contemplate implementing double opt-in as a world greatest follow to keep away from regulatory threat and guarantee compliance.

10. “What about my contact database? Can I nonetheless e mail these individuals?”

The GDPR states that you’re not required to mechanically ‘repaper’ or refresh all present DPA consents in preparation for the GDPR. However for those who depend on people’ consent to course of their information, be sure that it’ll meet the GDPR normal of being particular, granular, clear, distinguished, opt-in, correctly documented and simply withdrawn. So, be sure to replace your consent mechanisms if wants be!

We hope you have got discovered this GDPR FAQ doc to be helpful and could be very joyful for those who have been to share it with others via social media. After all, this can be a residing doc and will probably be routinely up to date up till the graduation of the GDPR to make sure absolute accuracy.

11. “What are the authorized/lawful bases for processing?”

Beneath GDPR, there are six lawful bases/grounds for processing. At the least certainly one of these should apply everytime you course of private information (to search out out extra about private information, please see ‘What’s private information/info).

No single authorized foundation is best than one other however the authorized foundation you select will rely upon your enterprise and your necessities.

The six authorized bases are as follows:

1. Consent: the person – the info topic – has consented to the processing of their information
2. Contract: processing is important for the efficiency of a contract to which the info topic is celebration or with a view to take steps on the request of the info topic previous to coming into right into a contract
3. Authorized obligation: processing is important for compliance with a authorized obligation to which the controller is topic.
4. Important pursuits: processing is important with a view to shield the important pursuits of the info topic or of one other pure particular person.
5. Public pursuits: processing is important for the efficiency of a job carried out within the public curiosity or within the train of official authority vested within the controller.
6. Official pursuits: processing is important for the aim of the professional pursued by the controller or by the third celebration besides the place such pursuits are overridden by the pursuits or basic rights and freedoms of the info topic which require safety of private information, specifically the place the info topic is a toddler

12. “What’s private information vs delicate information vs extremely delicate information?”

Private information refers to any info associated to an identifiable one who could be straight or not directly recognized by reference to an identifier.

Examples of private information embrace:

• Title
• E-mail tackle
• Identification quantity
• Location information
• On-line identifiers (e.g., IP tackle, cookie ID)

Delicate private information (or particular class information) requires additional protection measures due to its sensitive nature. Processing one of these information sometimes requires a transparent authorized foundation and, most often, specific consent.

Examples of delicate private information embrace:

• Racial or ethnic origin
• Political beliefs
• Spiritual or philosophical beliefs
• Commerce union membership
• Genetic and biometric information (for identification functions)
• Well being-related info
• Sexual orientation or intercourse life

Extremely delicate information refers to info that would trigger extreme hurt if disclosed or misused. Whereas GDPR doesn’t explicitly outline this class, many organizations apply stricter safety measures to guard it.

Examples of extremely delicate information embrace:

• Nationwide insurance coverage or social safety numbers
• Passport or driver’s license particulars
• Monetary account numbers and bank card particulars
• Authentication credentials (e.g., passwords, safety solutions)
• Extremely confidential enterprise or authorized paperwork

Organizations dealing with delicate or extremely delicate information should implement robust encryption, strict entry controls, and enhanced compliance monitoring to stop unauthorized entry or information breaches.

13. “What’s the proper to be forgotten?”

The suitable to be forgotten – often known as the fitting to erasure – is the place people have the fitting for his or her private information to be erased fully. People could make a request for erasure verbally or in writing.

14. “What’s delicate private information?”

Delicate private information is particular class information consists of details about a person’s:

• Race
• Ethnic origin
• Politics
• Faith
• Commerce union membership
• Genetics
• Biometrics
• Well being
• Intercourse life; or Sexual orientation

The sort of information, in response to the ICO, might create extra vital dangers to an individual’s ‘basic rights and freedoms’.

15. “What rights do people have below GDPR?”

Beneath GDPR, people have the next rights:

• The suitable to learn
• The suitable of entry
• The suitable to rectification
• The suitable to erasure
• The suitable to limit processing
• The suitable to information portability
• The suitable to object
• Rights in relation to automated determination making and profiling

Keep compliant and shield your enterprise

GDPR compliance is an ongoing course of that requires companies to remain knowledgeable and proactive in dealing with private information.

Understanding the important thing rules, rights, and obligations below the regulation is important to keep away from hefty fines and preserve buyer belief.

In the event you want steering on how one can align your enterprise with GDPR necessities, reach out to us today, our team of experts is here to help.